Remove or de-prioritize RC4 from default cipher suites
Motivation: RC4 is not a recommended cipher suite anymore, as the recent research reveals, such as: - http://www.isg.rhul.ac.uk/tls/ Modifications: - Remove most RC4 cipher suites from the default cipher suites - For backward compatibility, leave RC4-SHA, while de-prioritizing it Result: Potentially safer default
This commit is contained in:
parent
deb815f6cb
commit
8baeff159d
@ -115,18 +115,16 @@ public abstract class JdkSslContext extends SslContext {
|
||||
// XXX: Make sure to sync this list with OpenSslEngineFactory.
|
||||
// GCM (Galois/Counter Mode) requires JDK 8.
|
||||
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
||||
"TLS_ECDHE_RSA_WITH_RC4_128_SHA",
|
||||
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
|
||||
// AES256 requires JCE unlimited strength jurisdiction policy files.
|
||||
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
|
||||
// GCM (Galois/Counter Mode) requires JDK 8.
|
||||
"TLS_RSA_WITH_AES_128_GCM_SHA256",
|
||||
"SSL_RSA_WITH_RC4_128_SHA",
|
||||
"SSL_RSA_WITH_RC4_128_MD5",
|
||||
"TLS_RSA_WITH_AES_128_CBC_SHA",
|
||||
// AES256 requires JCE unlimited strength jurisdiction policy files.
|
||||
"TLS_RSA_WITH_AES_256_CBC_SHA",
|
||||
"SSL_RSA_WITH_DES_CBC_SHA");
|
||||
"SSL_RSA_WITH_DES_CBC_SHA",
|
||||
"SSL_RSA_WITH_RC4_128_SHA");
|
||||
|
||||
if (!ciphers.isEmpty()) {
|
||||
DEFAULT_CIPHERS = Collections.unmodifiableList(ciphers);
|
||||
|
@ -45,15 +45,13 @@ public final class OpenSslServerContext extends SslContext {
|
||||
Collections.addAll(
|
||||
ciphers,
|
||||
"ECDHE-RSA-AES128-GCM-SHA256",
|
||||
"ECDHE-RSA-RC4-SHA",
|
||||
"ECDHE-RSA-AES128-SHA",
|
||||
"ECDHE-RSA-AES256-SHA",
|
||||
"AES128-GCM-SHA256",
|
||||
"RC4-SHA",
|
||||
"RC4-MD5",
|
||||
"AES128-SHA",
|
||||
"AES256-SHA",
|
||||
"DES-CBC3-SHA");
|
||||
"DES-CBC3-SHA",
|
||||
"RC4-SHA");
|
||||
DEFAULT_CIPHERS = Collections.unmodifiableList(ciphers);
|
||||
|
||||
if (logger.isDebugEnabled()) {
|
||||
|
Loading…
Reference in New Issue
Block a user